ML20097J766
| ML20097J766 | |
| Person / Time | |
|---|---|
| Site: | Dresden, Quad Cities  |
| Issue date: | 06/30/1995 |
| From: | Swanson P CONCORD ASSOCIATES, INC. |
| To: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| Shared Package | |
| ML17180B458 | List: |
| References | |
| CA-TR-95-019-20, CA-TR-95-019-20-R01, CA-TR-95-19-20, CA-TR-95-19-20-R1, NUDOCS 9509010263 | |
| Download: ML20097J766 (33) | |
Text
__. _. _
4 s
CA/TR-95-019-20 DRESDEN STATION UNITS 2 & 3 TECHNICAL EVALUATION REPORT ON THE IPE SUBMITTAL HUMAN RELIABILITY ANALYSIS FINAL REPORT by P. J. Swanson Prepared for U.S. Nuclear Regulatory Conunission Office of Nuclear Regulatory Researth Division of Safety Issue Resolution March,1995 Rev.01, June,1995 CONCORD ASSOCIATES. INC.
Systems Perfonnance Engineers 725 Pellissippi Parkway Knoxville, TN 37932 Contract No. NRC-04-91-069 Task Order No. 20 h60 90 'MNb YA % !l d
1 f
,I j
i' 1
TABLE OF CONTENTS I
I E.
EXECUTIVE
SUMMARY
................................. El El.
Plant Characterization................................ El E2.
Licensee IPE Process................................ El E3.
Human Reliability Analysis............................. El E4.
Generic Issues and CPI............................... E3 i
E5.
Vulnerabilities and Plant Improvements..................... E4 E6.
Observations..................................... E4 1.
INTRODUCI1ON 1
I.1 Review Process....................................
1 1.2 Plant Characterization................................. I 1
H.
TECHNICAL REVIEW...................................
2 H.1 Licensee IPE Process................................
2 H.1.1 Completeness and Methodology 2
H.I.2 Multi-Unit Effects and As-Built, As-Operated Status.........
3 11.1.3 Ijcensee Participation and Peer Review.................. 3
)
II.2 Pre-Initiator Human Actions............................
4 i
II.2.1 Types of Pre-Initiator Human Actions Considered 4
H.2.2 Process for Identification and Selection of Pre-Initiator Human Actions...............................
4 H.2.3 Screening Process for Pre-Initiator Human Actions..........
6 H.2.4 Quantification Process for Pre-Initiator Human Actions.......
6 H.3 Post-Initiator Human Actions...........................
6 H.3.1 Types of Post-Initiator Human Actions Considered..........
7 II.3.2 Process for Identification and Selection of Post-Initiator Human Actions...............................
7 H.3.3 Screening Process for Post-Initiator Human Actions 8
II.3.4 Quantification Process for Post-Initiator Human Actions.......
8 H.3.5 Generic Issues and CPI........................... 13 H.3.6 Flooding Analysis.............................. 14 H.4 Vulnerabilities, Insights and Enhancements................... 14 H.4.1 Vulnerabilities................................ 14 H.4.2 Insights Related to Bunan Performance................. 15 II.4.3 Human Performana Related Enhancements.............. 17 IH.
CONTRACTOR OBSERVATIONS AND CONCLUSIONS 17 REFERENCES............................................. 21 1
1
)
i l
j
~.
EXECUTIVE
SUMMARY
1 This Technical Evaluation Report (TER) is a summary of the documentation-only review of the human reliability analysis (HRA) presented as part of the Commonwealth Edison Company (CECO) Individual Plant Examination (IPE) submittal for the Dresden Station Units 1 and 2 to the U.S. Nuclear Regulatory Commission (NRC). The review was performed to assist NRC staffin their evaluation of the IPE and conclusion regarding whether the submittal i
meets the intent of Generic Imer 88-20.
E.1 Plant Characterization The Dresden Station' Units 2 and 3 are operated by Commonwealth Edison Company (CECO) and share a site located in Morris, Illinois. Dresden Units 2 and 3 both employ General Electric BWR-3 type reactors. The units use a Mark I containment and employ the use of isolatian condensers. Dresden Unit 2 began commercial operation in June of 1970 and Unit 3 in November of 1971. Dresden Operator training includes the use of a full-scope nuclear power plant training simulator. 'Ihe simulator is an integral part of Dresden's operator training program which is INPO accredited.
E.2 13ren=* IPE Process The submittal discussion of the HRA methodology was very general. The findings and conclusions in this TER are based on the submittal plus more detailed information provided j
by the licensee in response to an NRC request for additional information. Much of the 1
licensee's response was merely a reference to CECO's answers to questions on the Quad Cities submittal, which employed the same methodology as Dresden.
The methodology used for quantification of post-initiator human actions is the Westinghouse, IPE Partnership (IPEP), implementation of THERP. This basic approach has been used for i
all of the Ceco plants we've reviewed, although we note several improvements in the Dresden analysis over what was seen in the Zion submittal.
CECO personnel were substantially involved in the IPE. CECO was supported in the analysis by the IPEP, consisting of Westinghouse, TENERA, and Fauske and Associates. Dresden Station p=
d provided support to the project through data collection, plant walkdowns, interviews concerning operator or equipment response, and some review of accident sequence madeling. Confirmation that the IPE model represented the as-built, as-operated plant was accue.yushed by a combination of document review and plant walkdowns. The licensee appears to have performed an appropriate internal review of the HRA. No separate indg~..f.cr.: review was provided.
E.3 Human Reliability Analysis-Pre-Initiator Human Actions - The submittal contained limited discussion on pre-initiator errors, such as miscalibration or failure to properly restore / align equipment after test or El
,.-..,---a
<,---n-
maintenance. Material provided by the licensee in response to an NRC request for additional information indicates that seven pre-initiator human actions were quantified and included in the IPE model. The licensee did not include miscalibration pre-initiator errors in the model.
Quantification of pre-initiator human actions was performed using the same Westinghouse (IPEP) adaptation of the THERP methodology employed for post-initiator actions. Basic HEPs were obtained from THERP tables for proceduralized actions. Basic HEPs were not modified by plant-specific performance shaping factors. Factors such as human-machine interface design, lighting, labeling, adequacy of procedures, and training were considered to have been addressed by other programs, such as the Detailed Control Room Design Review, and were considered to be nominal, i.e., to have no impact on the basic HEP. HEPs were adjusted to account for potential error recovery by routine testing. For example, the HEP for failure to properly restore the diesel-driven fire pump after annual testing was multiplied by 1/12 to account for the expected identification and recovery of the error during monthly testing.
Based on our findings, we conclude that the treatment of pre-initiator human actions for the Dresden IPE was somewhat limited in scope and level of detail (in comparison to some PRAs), but the quantification was generally consistent with THERP guidance. A more rigorous assessment of pre-initiator actions by the licensee, especially errors made in calibration, may have provided more insight on the human contribution to plant risk.
Post-Initiator Human Actions - The Dresden analysis of por,t-initiator human actions focused on response actions. Non-proceduralized recovery actions were not addressed, with the exception of recovery of offsite power. Some proceduralized actions that may be referred to as recovery actions in other PRAs were included as response actions per the Dresden definition.
The process for identification of important post-initiators human actions appears to have been systematic and reasonably thorough. Operator actions which are specifically called for in the Dresden Emergency Operating Procedures (DEOPs) and which were deemed to significantly alter the progression of the accident and the equipment used by the operator were examined for quantification.
No numerical screening of post-initiator human actions was performed. All post-initiator i
operator actions identified by the licensee were quantified using the Westinghouse THERP-based approach.
Human errors are included as top-level actions in the Plant Response Trees (PRTs) and in
' fault trees. The fault tree actions are system-related; sequence-specific factors and dependencies are not addressed for those actions. Each operator action addressed in the PRTs involved two parts: a detection / diagnosis / decision (cognitive) part; and, an execution part.
However, the licensee makes a basic assumption that because of procedures and training. the cognitive part of operator actions can be quantified using basic HEPs from THERP tables for
" rule-based" or step-by-step actions. This assumption is, in our view, overly simplistic.
E2
+
4 Treatment of errors in these " cognitive" actions as errors of omission / commission in step-by-step procedures is inconsistent with THERP and other current HRA techniques, and may lead to an overly optimistic estimate of operator reliability.
Recovery factors applied to reduce basic HEPs were consistent with THERP, or were based on speculative models that in our view were reasonable and not inconsistent with subjective evaluations in other PRAs. Dependencies among individual steps in a single action and among multiple actions in a sequence were accounted for by using a decision tree to assess the level of dependence, and applying the depandancy model of THERP. He decision tree appears to be reasonable, and the implementation of the THERP model appears to have been consistent with THERP guidance. With the exception of the basic assumption that operator diagnostic / detection / decision actions can be treated essentially the same as step-by-step proceduralized actions, and the related impact on selection of THERP tables and lpm 4;on of THERP guidance, the Phase 1 quantification process for post-initiator actions appears to have been a reasonable, though relatively generic, approach.
'Ihe discussion of the Phase 2 approach is limited, but it appears that the Phase 2 assessment provided some opportunity for more in-depth, though qualitative and subjective, assessment of plant-specific factors influencing the most significant operator actions. And, it provided an additional opportunity for direct involvement of operations / training staffin the HRA process.
De subminst is essentially complete with respect to the type of information and the level of detail requested in NUREG-1335. It appears that the Dresden IPE used a reasonable approach, with one exception, that is consistent with the guidance provided in NUREG-1335 and with practices found in other PSAs. The licensee's interpretation of NUREG-1335 led to their consideration of only non-procedural actions, thereby eliminating from further ransieration all of the actions quantified that were reduced below the cutoff value by low human erzor, namely procedurally directed response and recovery actions. As a result, the licensee naay have missed an opportunity to gain added insight on other important human acticas which were screened out.
Inmortant Operator Actions - De licensee provided a concise listing of quantitative results of the HRA. The top three most important human actions identified through importance analysis are; 1) OMUP, operator action to supply makeup to shell side of the IC, 2) OSPC, operator action to establish suppression pool cooling, and 3) OAD, operator action to depressurize the reactor vessel. A sensitivity analysis _ was performed as part of the licensee assessment of these action.
j E.4 Gemede Issue and CPI Decay heat removal, GSI-45A is addressed and treated in the Dresden submittal. Two insights were identified in the DHR analysis which lead to Dresden's incorporation of procedural enhancements. First, the loss of 125VDC will result in the failure of automatic initiation of the IC. However, operator action can be taken to keep the ICs in service without DC power. The second deals with failure of Suppression Pool Cooling, where operator action can be taken to continue makeup to the reactor vessel.
E3
~
E.5 Vulnerabilities and Plant Improvements Vulnerabilities - The submittal did not provide a precise definition of vulnerability, but did clearly specify criteria used to identify a vulnerability. The criteria are consistent with the guidance in NUREG-1335. No vulnerabilities were identified.
Plant Improvements - There were no plant improvementa iocatified. However, the IPE process, specifically CECO's Tiger Team evaluation of the risk dgnificance of different insights, did result in recommendation for two procedural enhancements.
E.6 Observations Rated on our findings, we conclude that the HRA allowed the licensee to develop a general quantitative understanding of the contribution of human errors to core damage frequency and containment failure probabilities. However, there are three areas which may lead the licensee to underestimate the impact of human error, and which may warrant more in-depth consideration by the licensee: (1) the potential contribution from errors in pre-initiator human actions, particularly miscalibration of instrumentation, (2) the treatment of human behavior in the diagnosis / detection / decision phase of post-initiator human actions, and (3) the omission of procedurally directed actions when considering all sequences that, but for low human error rates in recovery actions, would have been above the applicable core damage frequency screening criteria.
E4
I. INTRODUCTION 4
This Technical Evaluation Report (TER) is a summary of the review of the human reliability' analysis (HRA) presented as part of the Dresden Station Individual Plant Examination (IPE) submittal to the U.S. Nuclear Regulatory Commission (NRC). 'Ihe review was performed to assist NRC staffin their evaluation of the IPE and conclusion regarding whether the submittal meets the intent of Generic Imtier 88-20. 'Ihis section of the TER highlights findings from the technical review.
I.1 Review Process l
l
'Ibe HRA review was a " document-only" process which consisted of essentially four steps:
(1)
Comprehensive review of the IPE submittal focusing on all information pertinent to HRA.
(2)
F@ation of a draft TER summarizing preliminary findings and conclusions, noting specific issues for which additional information was required from the licensee, and formulating requests to the licensee for the necessary additional information.
(3)
Review of preliminary findings, conclusions and proposed requests for additional information (RAls) with NRC staff and with " front-end" and "back-end" reviewers (4)
Review of licensee responses to the NRC requests for additional information, and preparation of this final TER modifying the draft to incorporate results of the additional information provided by the licensee and finalize conclusions.
Findings and conclusions are limited to those that could be supported by the document-only review. No visit to the site was conducted. No discussions were held with plant personnel or IPFlHRA analysts, either during the initial review of the submittal, nor after receipt of licensee responses to NRC RAls. No review of detailed " Tier 2" information was performed, except for selected details provided by the licensee in direct response to NRC RAls. In general it was not possible, and it was not the intent of the review, to reproduce results or verify in detail the licensee's HRA quantification process. The review addressed the reasonableness of the overall approach with regard to its ability to permit the licensee to meet the goals of Generic letter 88-20.
I.2 Plant Characterization 4
The Dresden Station Units 2 and 3 are operated by Commonwealth Edison Company (CECO) and share a site located in Morris, Illinois. Dresden Units 2 and 3 employ General Electric boiling water reactors, both type BWR-3. The units use a Mark I containment and employ l
the use of isolation condensers. Dresden Unit 2 began commercial operation in June of 1970 and Unit 3 in November of 1971.
1
I Dresden Units 2 and 3 share a common full-scope nuclear power plant training simulator dedicated for the training of plant operator personnel. The simulator is an integral part of Dresden's operator training program which is INPO accredited.
H.
TECHNICAL REVIEW H.1 IJeensee IPE Process l
De Dresden submittal is a Level 2 Probabilistic Risk Assessment (PRA) into which accident i
management program considerations were integrated. The PRA methodology follows to a degree conventional practice such as described in NUREG/CR-2300 (Reference 3), using the large event tree approach. A notable difference from traditional approaches is the use of event trees referred to as Plant Response Trees (PRTs) that integrate systems analysis and containment analysis, effectively Level 1 and I.evel 2 PRA, in one tree.
CECO has adopted the Individual Plant Evaluation Partnership (IPEP) adaptation of THERP for the performance of HRA on all of the plants which they operate. In NRC's review of the Zion Station IPE submittal, a number of concerns were raised with the IPEP HRA. CECO had made some basic changes to the HRA methodology when they performed the IPE on the Dresden and Quad Cities plants. In general, these changes improved upon the Zion method and eliminated some, but not all, of the concerns identified in the Zion review. The limitations which remain in the CECO HRA approach will be highlighted in the body of this report. The HRA approach described in the submittal consists of two " phases". The first phase employs a Technique for Human Error Rate Prediction (THERP)-based approach to
. develop and quantify HEPs for selected actions identified in emergency operating procedures (EOPs) and subtasks associated with the Dresden abnormal operating procedures (AOPs), or oqher prn=hmes or operating instructions (ops). The second phase is an " expert judgement" method, consisting primarily of " discussions" with Dresden training / operating personnel to verify or validate estimates for a limited set of important HEPs. Phase 2 included some observation of operator actions in the Dresden training simulator. Data sources for basic HEPs are primarily taken from generic data in NUREG/CR-1278 tables (Reference 1).
Dese are =9mented by plant-specific data and modified by performance shaping factors (PSFs) to amnamt for plant-specific conditions affecting human performance. PSFs were evaluated through an adaptation of THERP tables based upon guidelines developed by the licensee and their contractor (IPEP).
ILI.1 Cmnpisess and Methodolony De description of the HRA effort in IPE, Section 4.4.2 provides a reasonably clear understanding of the general methodology and approach used to address human actions. The overall HRA approach is said to follow that of THERP. Human actions considered important enough to analyze were selected on the basis of analyst judgement from analysis of system.
documentation, primarily procedures - EOPs, AOPs, SOls, etc. Plant walk-downs were discussed in Sectic i 2.3, but there is no specific mention to its relevance in HRA. Specific operator tasks required by procedure in response to accident events were broken down into 2
g._
l i
3 1
3
}
subtasks, and were analyzed qualitatively and quantitatively using basic concepts of THERP, i
nominal HEP estimates from THV.RP tables, and Job Performance Measures (JPMs) for l
applicable tasks. These tasks were limited to those operator actions performed in the main control room. De likelihood af operators identifying errors they have made and
" recovering" from those errtrs was also estimated. Stress related performance shaping
{
factors are used to adjust the nominal HEPs, and the "best-estimate" values were then used j
directly in PRTs and Fault Trees to quantify sequences.
l i
H.I.2 Multi-Unit Effects and As-Built As-OnerntM Statm
}
De NRC review of the submittal attempts to determine whether the utility personnel were involved in the development and application of PRA techniques to their facility, and that the l
associated walkdowas and documentation reviews constituted a viable process for confirming that the IPE represents the as-built and as-operated plant.
i Dual unit r-Mmtions are reported in systems analysis Section 1.3.3, and treatment of dual unit issues is discussed in Section 2.5. System analysis is reported to have included careful examination of plant procedures, operator training manuals, and plant administrative policies concerning shared and cross-tied systems. The IPE discusses the treatment of dual unit
{
dependencies for hardware support systems and front-line systems. However, discussion of i
specific findings or factors related to HRA in dual unit operations is presented only at a very high level without specifics, stating only that no credit was taken for actions related to l
sharing of syerm i
l De IPE subrnitsal contains a clear description of the process of development / adaptation of l
event trees and support system event trees. Selected operator actions, from those that are i
proceduralized and covered in training, were incorporated directly into the PRTs. A general j
rationale (basically analystjudgement) for selection of the operator actions to be included is
{
provided in the IPE HRA discussion. This is a very straightforward and clear way of j
accounting for operator actions in response to accident initiators.
I The systems analysis appears to be comprehensive, and the IPE submittal information appears l
to provide clear concise summaries of the results of the analysis. A system notebook was j-developed for each system analyzed. An outline of the contents of the system notebook is l
provided in the submittal, and a summary of important results for each system are i
highlighted. Human errors were treated in both fault trees and PRTs. Eighteen (18) operator 4
i actions were analyzed and quantified in the fault tree analysis. Nineteen (19) human actions l
were quantified in the PRTs in various combinations of dependency, performance shaping j
factors, and tirne constraints for a total of fifty-nine events which were incorg.W thorough the PRTs. De submittal provides a concise listing of results of the PRT and Fault Tree analysis in IPE Tables 4.4.2-1 and 4.4.2-2.
t H.I.3 Licensee Particination and Peer Review I
i The Dresden IPE was conducted by Commonwealth Edison Company (CECO) and their consultant, the Individual Plant Evaluation Partnership (IPEP) comprised of Westinghouse, TENERA, and Fauske and Associates. The organizational of the IPE team is common for all i
3 I
of the CECO plants. He HRA portion of the IPE was performed by CECO systems analysts who have extensive operating experience and supported by a member (HRA specialist) from j
the IPEP organization. In addition, the licensee involved an ir-%t HRA specialist to review and comment on the HRA portions, although external review was not part of the overall CECO process. He submittal provides only limited information on the extent and degree of Dresden Station personnel participation for supporting CECO personnel with performance and review of the IPE. Additional information supplied by the licensee in response to an NRC question indicates that a satisfactory level of Dresden-specific experience j
was represented in the IPE effort to assure the as-built, as-operated plant was reasonably j
represented.
med on the above findings as documented in the submittal, we conclude that overall the licensee's IPE process included steps to provide reasonable assurance that the IPE model represents the as-built, as-operated plant.
II.2 Pre-Initiator Human Actions Errors in performance of pre-initiator human actions (i.e., actions performed during routine operations and maintenance, such as failure to restore or properly align equipment after testing or maintenance, or calibration of system logic instrumentation) may cause components, trains, or entire systems to be unavailable on demand during an accident, and thus may significantly impact plant risk. The NRC staff review of the HRA portion of the IPE examines the licensee's HRA process to determine what consideration was given to pre-initiator human events, how potential events were identified, the effectiveness of quantitative and/or qualitative screening process (es) employed, and the processes for accounting for plant-specific performance shaping factors, recovery factors, and dependencies among multiple actions.
11.2.I Tynes of Pre-Initiator Human Actions Considered Typically, PRAs address potential errors in two types of pre-initiator human actions: I) restoration of equipment after maintenance or test, and 2) calibration of instruments. As noted earlier, there is no discussion in the submittal of assessment of pre-initiator human actions. However, several pre-initiator human actions appear in Table 4.4.2-2, listing human i
actions accounted for in the fault trees. In response to a request for additional information, the licensee provided additional assessment detail associated with restoration / realignment pre-initiator human actions quantified in the IPE model, see Table II.2 - I below. From the material presented by the licensee, it appears that errors in calibration were deemed to be insignificant. None of the seven HEPs included in the model dealt with calibration errors.
11.2.2 Prome for Identification and Selection of Pre-Initiator Human Actions He key concerns of the NRC staff review regarding the process for identification and selection of pre-initiator human events are: (a) whether maintenance, test and calibration procedures for the systems and components modeled were reviewed by the systems analyst (s),
and (b) whether discussions were held with appropriate plant personnel (e.g., maintenance, 4
s Table 11.2-1 Pre-Initiator Actions Modeled and Quantified in the Dresden IPE Failure to restore Unit I diesel fire pump following test or maintenance.
l Failure to restore Unit 2/3 diesel fire pump following test or maintenance.
l Master trip unit A not restored after test / maintenance.
Master trip unit B not restored after test / maintenance.
Master trip unit C not restored after test /maintenmace.
Master trip unit D not restored after test / maintenance.
Operator fails to switch service water strainers daily.
training, operations) on the interpretation and implementation of the plant's test, maintenance and calibration procedures to identify and understand the specific actions and the specific components manipulated when performing the maintenance, test, or calibration tasks.
The licensee states that a qualitative screening process was used, "To identify the maintenance / surveillance procedures having the potential for the most significant pre-initiator." However, the licensee also notes that the first step of this screening process was that, "The test, maintenance and calibration procedures performed for the systems and components deemed important to mitigate core damage or containment releases were reviewed to evaluate the related ' failure to restore' events." Thus it appears that the review focused only on restoration actions; and that, calibration procedures were reviewed, but miscalibration errors were judged to be not significant.
Qualitative screening guidance applied to restoration errors included the following:
- 1) Systems that are normally in service were not evaluated further because any lack of operability upon completion of the test, maintenance and/or calibration would be immediately obvious.
- 2) Systems where a functional test, an alarm, or some other independent method of operability detection is available were not evaluated further.
These qualitative screening rules are reasonable, and are typical of guidance used in other PRAs. 'Ihe important consideration in the HRA is that these general assumptions are supported by rigorous plant-specific assessment. A systematic evaluation of procedures and discussion with plant maintenance and operations penannel should be carried out, with direct observation of in-plant practice where appropriate, to verify that actual plant procedures and practicejustify eliminating specific actions from consideration orjustify credit for error recovery mechanisms. In response to an NRC request for additional information, the licensee indicated that the pre-initiator analysis had included review of procedures and " numerous" queries of plant personnel regarding key activities and the availability and use of procedures. Direct observation of maintenance, test, surveillance or calibration procedures was not deemed to be necessary.
i i
t i
B.2.3 Screenine Process for Pre-Initiator Human Actions
)
~
l No numerical screening of pre-initiator human actions was performed to identify the most I
critkal actions or eliminate less important actions from funher consideration. As l
indicated above, the subjective identification and qualitative screening eliminated all but i
neven restoration or alignment pre-initiator actions from further consideration.
B.2.4 Ouantifiention Prrw*ee for Pre Initintar Human Actians i
Quantification of pre-initiator human actions was performed using the Westinghouse (IPEP) adaptation of THERP. No diagnosis / detection / decision phase was assumed for l
pre-initiator actions, which is appropriate. Basic HEPs for errors of omission and errors of commission were obtained from THERP tables for proceduralized actions. Basic HEPs j
were not modified by plant-specific performance shaping factors. Factors such as
{
human-machine interface design, lighting, labeling, adequacy of procedures, and training j
were considered to have been addressed by other programs, such as the Detailed Control l
Room Design Review, and were considered to be nominal, i.e., to have no impact on the basic HEP. In each case examined, only one critical operator action was considered in
^
each procedure; thus there was no accounting for dependencies among multiple actions.
HEPs were adjusted to account for pataatial error recovery by routine testing. For example, the HEP for failure to properly restore the diesel-driven fire pump after annual testing was multiplied by 1/12 to account for the expected identification and recovery of the error during monthly testing.
In ourjudgment, the quantification process for pre-initiator human actions for the Dresden IPE was relatively limited in the level of detail and the rigor of plant-specific assessment, but is generally consistent with THERP guidanca. The range of resulting HEPs is typical _
l of HEP values for generally restoration errors in other PRAs. The scope of the analysis, i.e., the number and types of actions quantified is relatively limited compared to other i
IPEs reviewed. In particular, it appears that calibration errors were dismissed from detailed consideration without a rigorous plant-specific assessment. Calibration errors have been identified as significant in some other PRAs.
H.3 Fest-Initiator Human Actions Human error in responding to an accident initiator, e.g., by not recognizing and diagnosing the situation properly, or failure to perform required activities as directed by procedures, can have a significant effect on plant risk, and in some cases have been shown to be dominant contributors to core damage frequency (CDF). Dese errors are referred to as post-initiator human errors. De NRC staff review determines the types of post-initiator errors considered by the licensee, and evaluates the processes used to identify and select, screen, and quantify post-initiator errors, including issues such as the means for evaluating timing, dependency among human actions, and other plant-specific.
performance shaping factors.
6
~.
II.3.1 Tyoes of Post-Initiator Human Actions Considered Dere are two important types of post-initiator actions considered in most PRAs: response actions, which include those human actions performed in response to the first level directives of the emergency operating procedures / instructions (EOPs, or EOls); and, recovery actions, which include those performed to recover a specific failure or fault (primarily equipment failure / fault) such as recovery of offsite power or recovery of a front-line safety system that was unavailable on demand earlier in the event.
Only proceduralized recovery actions (actions by operators in response to events) for which operators receive training were analyzed. Consistent with most PRAs, operator action that may initiate an event (apparently) was addressed through estimated frequency of occurrence for each initiating event, though this was not stated explicitly in the IPE.
The summary material presented in the IPE submittal was sufficient to gain a general perspective of the HRA approach.
11.3.2 Pr-for Identification and Selection of Post-Initiator Human Actions The primary thrust of the NRC staff review related to this question is to assure that the process used by the licensee to identify and select post-initiator actions is systematic and i
thorough enough to provide reasonable assurance that important actions were not inappropriately precluded from examination. Key issues are whether: (1) the process included review of plant procedures associated with the accident sequences delineated and the systems modeled; and, (2) discussions were held with appropriate plant personnel (e.g., operators, shift supervisors, training, operations) on the interpretation and implementation of plant procedures to identify and understand the specific actions and the specific components manipulated when responding to the accident sequences modeled.
In the Dresden submittal, the general summary of the process for sequence analysis, i.e.,
for development of the PRTs, suggests a systematic top-down structure based heavily on accident response procedures was used to identify and delineate the accident sequences.
The process began with the definition of critical safety functions. The identification of systems and operator actions necessary to avoid core damage was guided by tracking the accident progression through the Dresden Emergency Operating Procedures (DEOPs),
which imptementation the BWR Owners Group symptom-based Emergency Procedure Guidelines.
De systeun analyst used the DEOPs or operator actions to recover a failed system (recovery actions) identified and initiated from the Abnormal Operating Procedures (AOPs) and Operating Procedures (ops) to determine primary operator actions. Subtasks within those higher level operator tasks were selected for quantitative HRA analysis if they were " absolutely necessary" time-driven actions. In addition to the plant procedures the licensee used job performance measures (JPMs) as an additional check on the critical steps. The Dresden operators are expected to perform these tasks and subtasks from memory (considered skill of the trade).
7,
Success criteria for the final sequence descriptions include operator actions and equipment failures or unavailability. Information was gathered from Dresden site personnel via meetings, telephone conversations with members of Operations and Training, and simulator observations. The licensee stated that the simulator observations provided general information on shift manning and division of duties, command and control, communications practice, procedure usage, control room human factors, and quality of simulator training.
His process appears to be one which provides reasonable assurance that important (post-inMator) operator actions would not be overlooked.
Auditiona' -.iication of completeness in identification of human actions is provided by comparisor. 4 th previous BWR PRAs. Our comparison indicated that most of the importam actions typically included in other BWR PRAs were included in the Dresden analysis.
H.3.3 Screening Prow for Post-Initiator Human Actions d
No numerical screening of post-initiator human actions was performed to identify the most critical actions or eliminate less important actions from more detailed analysis.
Qualitative screening was performed, based on judgement of the IPE analysts and iterative review by a human factors /HRA specialist. All operator actions identified from the review of procedures and discussions with operations staff were quantified and included in the IPE model.
H.3.4 Ouantification Process for Post-Initiator Human Actions Quantification of post-initiator HEPs was accomplished using a two-phase approach.
Phase I was the quantification of human error probabilities, generally following the guidance and using data tables from THERP. Phase 2 HRA involved " verification /
validation" of selected Phase 1 results. This verification and validation involved a review of the phase 1 results by the HRA analysts, a PRT analyst, and Dresden simulator instructors and operators. That review included discussion of action steps for each of the operator actions that was found to significantly affect the core melt frequency, a walkthrough of the control roorr ' d a. + demonstration of some selected accident sequences, a discussion of instuctor obseres of operator performance during training and testing, and a discussion of potential s%ths and weaknesses of the procedures.
1 Conducting such " discussions" and obsen ng sperator response during simulated accident sequences are positive contributions to t'. ndA. However, the discussions of the Phase 2 assessment provided by the licensee are very limited, and did not provide evidence that the Phase 2 assessment was substantially more rigorous than the Phase 1 assessment. All adjustments made to Phase 1 HEPs were in the downward direction, i.e., HEPs were i
reduced as a result of the Phase 2 assessments. A limited number of system-related operator actions were included in the fault-tree models. Sequence-specific factors and dependencies were not addressed for those actions, ne quantification of human actions focused on the higher level actions modeled in the PRTs.
8
l
)
4 1
From the high level summary information provided in the submittal and the licensee's l
response to NRC's request for additional information, it appears that the quantitative analysis generally follows the THERP process using nominal (generic) HEPs from the Handbook tables, modifying nominal HEPs by application of various performance shaping
[
factors, and probabilistically combining values for indapandant and dapradant steps to arrive at a "best-estimate" value for the HEP of the overall human action analyzed.
l Specific points of interest related to our review of the licensee's process for post-initiator HRA are discussed in the paragraphs which follow.
i H.3.4.1 Use of Generic vs. Plant-Spectfc Data - Plant documentation used to acquire HRA information was described in sufficient detail to support the HRA review. This included input from operations staff in addition to document review.
Key issues for HRA are (1) the degree of involvement by operations staff with current knowledge of plant / systems operations, (2) the degree of involvement of the HRA specialist (s) with the team review of this information, and (3) the rigor of the process by which information, particularly subjective information from operators, was obtained and documented. There were discussions conducted with operations personnel, and plant walk-downs were conducted. It is inferred that the responsible HRA analyst (s) on the team were fully involved and integrated with the other team members. Discussions with simulator instructors and operators led to modification of dependency values which resulted in non-conservative adjustments being made to two of the risk-significant operator actions identified (IPE, Section 4.4.2.3.2), see Table II.3-1 below. For the OAD action (operator Table II.3-1 PHASE 2 HRA ADJUSTMENTS FOR SIGNIFICANT OPERATOR ACTIONS CASE TREE (S)
DEPENDENCY DEPENDENCY PHASE 1 PHASE 2 PHASEt PHASE 2 HEP HEP OAD-CS4 SBO Moderate Low 3.1E-02 1.1E-02 OAD-CSS SBO Moderate Low 1.5E-01 5.9E-02 OAD-CS8 LOOP Moderate low 3.2E-02 1.2E-02 OAD-CS9 LOOP Law Zero 1.1E-02 1.0E 03 j
i OSP-CS3 Trans., SBO High Moderate 1.1E41 3.1E42
~
- 10RV, LOOP, ATWS OSP-CS3 125VDC High Moderate 1.1E-01 3.5E-02 OSP-CS10 SBO High Moderate 1.1E-01 1.1E-02
)
OSP-CS11 - SBO High Moderate 5.0E 01 1.5E-01 action to initiate depressurization) HEPs were reduced in station blackout and loss of off-site power sequences based on two board operators monitoring separate level instruments and on training emphasis. The largest adjustment was for LOOP case 9
t CS9 which redami the HEP from 1.lE-02 to 1.0E-03. In the OSPC (operator initiates suppression pool cooling) action similar adjustments were made based upon the crew being trained to focus on SPC as a critical function, and anticipating the need for this function any time heat is added to the suppression pool.. The basis for these adjustments appear reasonable.
II.3.4.2.
Treatment of Cognitive Behavior - The licensee states that each post-initiator action included in the PRTs is treated as consisting'of two parts: a detection / diagnosis / decision (cognitive) part, and an execution part. His designation of two distinctly different types of human behavior is common to most current HRA models/ techniques. In Dresden's HRA, treatment of the cognitive portion of " response" actions assumes "These actions have distinct entry conditions and are directly controlled by the EOPs and operating procedures - very little diagnosis is seguired." Operator actions have been quantified using essentially the same basic HEPs used in THERP (Table 20-10), i.e., " rule-based" or step-by-step actions in reading of meters. In our opinion, this is an overly simplistic treatment of operator response in response to an abnormal event, and may lead to overly optimistic estimates of HEPs. The THERP diagnosis model described in Table 12-4 of NUREG/CR-1278 relates " Diagnosis" with actions to " perceive, discriminate, interpret, diagnose" an event, and the operators' "first-level of decisionmaking".
Diagnosis is therefore more than just classifying the nature of the event; it includes recognition that an event has occurred, and interpretation of the necessary actions (including the decision to enter the emergency procedures if needed). Thus, the scope of the THERP diagnosis model encompasses more than mere identification of the type of accident scenario. While the use of EOPs may remove the need to identify the specific type of accident such as a LOCA, their use does not remove the need for other aspects of diagnosis. For example, the operator must recognize the EOP entry conditions have been met, and that the EOPs are directly and completely applicable in a particular scenario. The use of procedures, as well as training and practice on simulators, is intended to aid the operator in the diagnosis / detection / decision phase by guiding the operator more directly to proceduralized step-by-step procedures. However, there is little data on operator performance in actual accident situations, or even simulator studies, upon which to base conclusions about human error probabilities. Most existing HRA approaches, including THERP and those developed under EPRI sponsorship (Reference 2),
have employed simplified conceptual models, in which the error probability decreases as the time available for cognitive action increases. These models, while speculative, do recognize potentially basic differences in human behavior in these
" cognitive" tasks vs. " execution" tasks.
II.3.4.3 Basic HEPs - Diagnosis / detection / decision actions are considered as " time-critical" or "non-time-critical". The submittal notes that the Dresden emergency procedures are flow-chart procedures typical of the BWROG EPGs, which provide general guidance for symptom-based response, not necessarily specific step-by-step guidance. Specific action execution, e.g., line up of systems indicated in the DEOPs, especially for time-critical action, is accomplished from memory by the operators. These activities are considered " skill of the craft".
10,
1 Operators are expected to refer to step-by-step procedures as time permits to verify correct line ups. For non-time-critical actions, the operators are expected to follow procedures step-by-step. In either case basic HEPs were taken from THERP_ tables for errors of omission or errors of commission. For example, basic HEPs for errors of omission in time-critical actions, which are assumed to be performed from memory, are taken from THERP Table 20-8, " Estimated probabilities of errors in recalling oral instruction items not written down." It is our understanding that this THERP table is intended for routine situations in which individuals are given oral instructions, e.g., by a supervisor, consisting of one to five or more distinct steps. 'Ihe human behavior that is the focus of the THERP discussion underlying this table, and of the focus of the basic research supporting the discussion, is essentially short-term memory. It is not at all clear that application of the basic HEPs in this table to operator response under accident conditions using the BWR flow-chart procedures is appropriate.
The execution portion of the action addressed only those steps which were judged by the systems analysts to be the minimum required steps to meet the PRA success criteria. Both errors of omission and commission are treated. Omission errors include missing a procedure step or failure to recall non-written instructions.
Commission errors include selection of the wrong switch, control or gage, or improper operation of controls given cormet selection. The nominal HEPs for j
errors of omission and commission were taken from the various THERP tables for rule-based actions. The licensee's interpretation and application of THERP tables is not always in strict compliance with THERP guidance. For example, the licensee assumed that use of THERP tables for procedures with check-off provisions is appropriate, because Dresden operators use markers as place-keeping aids. THERP guidance (page 15-13 of the Handbook) is that, " Proper use of a checklist is defined as reading an item in the checklist, performing.the operation called for in the item, and then checking off that item in the checklist to indicate it has been done. Any other use of a checklist is defined as improper and is considered as tantamount to ignoring the checking function of the checklist."
H.J.4.4 Treannent ofStress - The submittal states that factors such as " lighting, noise levels, control board ergonomics and administrative controls" were considered nominal and were not addressed in the HRA. Adjustment to basic HEPs was made to account for stress, for error recovery factors, and for dependencies among multiple steps / actions. Factors considered in assessing the stress level were the time available to perform the action, the amount of activity during that time, and the availability of systems and components. In general, less time available, greater workload, and more equipment failures were considered to result in higher stress. Consistent with THERP, stress levels were assessed as optimal, moderate, or high; the nominal HEP was used for conditions with optimal stress, and a factor of 2 or 5, respectively, was applied for moderate and high stress. These values of multiplier factors in THERP are for " step-by-step" procedures. The THERP guidance indicates higher values for dynamic actions in response to abnormal events (e.g., a factor of 5 for moderate stress). Thus, the selection of the PSF value is consistent with the licensee's basic assumption that 11 n.-,a.
---nn-,---
e
.- -. - - - -, ~ -- - -., -
.---..n--
l J
post-initiator response actions can be treated as step-by-step procedures, but is not consistent with the recommended values in THERP.
H.3.4.5 Error Recovery Factors - Two "models" are used to account for the potential for operators to detect and recover human error before significant consequence occurs. The first is a THERP model which adjusts the HEP (multiplies by a factor) to account for specific identified error recovery mechanisms such as:
1 e
A procedure step directing the operator to verify that the sys+em is '
performing its intended function e
A second alarm at another location in the control room that a different crew -
member may acknowledge An alarm that would indicate that the action had not been performed correctly, assuming that there would still be sufficient time to accomplish the action.
A second factor, the " slack-time" recovery factor is applied to represent the
. potential for recognition and recovery of a human error by a person or persons not previously involved with the accident response / mitigation, e.g., manning of the Technical Support Center, arrival of off-duty personnel to assist the crew, etc.
The submittal discussion of this recovery factor was unclear and inconsistent.
However, clarification was provided by the licensee in response to an NRC request for additional information. The slack time recovery credit was applied to non-time-critical actions only, and was applied only if the required action could be delayed more than one hour after the initiation of the event. In those cases, a multiplier 0.11 was applied to reduce the HEP estimate. While this "model" of slack time recovery is speculative, the credit taken by the licensee is not unreasonable and was applied logically to selected actions.
Error recovery is one of the areas where the Dresden analysis applied a more conservative approach than what was seen in the Zion submittal. Specifically, the additional recovery by STA or TSC was applied following review on a case-by-case basis and then only credited if slack time was greater than one hour.
R.J.4.6 Dependencies - The HRA addressed two types of dependencies:
(1) among subtasks within a single operator action, and (2) among multiple operator actions within the same sequence. A " decision tree" was used to assign dependency levels between PRT nodes, i.e., between top-level operator actions within the same sequence. The decision tree was provided by the licensee in response to an NRC request for additional information. In our view, it provides the analyst with a consistent rationale for assessing dependency. The quantification of the impact of dependency follows the THERP guidance. The formulae presented in Table 20-17 of the THERP Handbook were used for the conditional probability of failure on task "n", given failure of the previous task 12,
"n-1" was applied for five levels of dependency - complete, high, moderate, low and zero.
The treatment of dependencies in the Dresden analysis is a marked improvement over Zion's treatment of dependency where each action was assumed to be i e t.
H.3.4. 7 Recowry Method and CreditJbr Reconry Actions - In the Dresden IPE, recovery actions analyzed are those that are in the DEOPs. Some PRAs model in addition extra-procedure actions that operators might logically perform whether or not they are proceduralized. The Dresden IPE identifies that certain recovery actions could improve core damage frequency estimates, but takes no credit for such actions.
Both the front-end and back-end IPE reviewers identified the same operator actions as important to preventing (mitigating) core damage. 'Ihose significant actions include:
I)
Initiation of suppression pool cooling, 2)
Initiation of isolation condenser mode of cooling, 3)
Manual depressurization of the vessel, and 4)
ATWS event (s).
We reviewed the Dresden HEP results for these actions with similar actions from five (5) other BWR IPEs. These comparisons suggest that the Dresden findings are within a reasonable range for typical numbers.
11.3.5 Generic Issues and CPI Decay Heat Removal Analysis - As discussed in Section 4.6.4, Dresden's decay heat removal is accomplished by the following key systems:
Transient-type events - decay beat is removed by the Isolation Condenser (IC). If IC fails, bleed and feed operation using high pressure injection from either FW or HPCI, relief valves or the main condenser, and 1
associated operator actions. Should FW or HPCI fail, the reactor is i
manually depressurized and low pressure systems in conjunction with SPC are used. Once recirculation loop temperature in below 350 'F the shutdown cooling system can also be used.
e Medium or large LOCA events (excluding ISLOCA) and inadvertent open relief valve (IORV) events - decay heat is removed by SPC and low l
pressure systems which would include LPCI, CCSW, CS and associated operator actions.
The licensee discusses the failure modes associated with the above systems and alternate methods for addressing each failure. Operator actions associated with recovery from each failure are identified. Two insights were identified which lead to Dresden's incorporation 13,
of procedural enhancements. First, the loss of 125VDC will result in the failure of auta=ade initiation of the IC. However, operator action can be taken to keep the ICs in service without DC power. The second deals with failure of SPC, where operator action is taken to continue makeup to the reactor vessel. The specific procedural enhancements associated with these events am discussed under Section II.4.3 of this report.
II.3.6 Flooding Analysis
'Ibe discussion of the flooding analysis in Section 4.4.4 of the submittal is rather general.
All of the identified flooding zones, except for the Unit and 3 Turbine Condensate Pump Rooms, were eliminated from consideration on the basis of a qualitative review of flooding effects. 'Ibe submittal states that the frequency of flooding in these rooms is estimated to be 1.2E42 per year; that the effects would be similar to a loss of feedwater transient; and, that the contribution of this irJtiator is insignificant in comparison with the overall frequency of transient initiators. The only indication of consideration of human-performance in the Gooding analysis is a statement that instruments required by the operasors for operator actions in the top nodes of fault trees were included in the assessment of survivability ofimportant equipment. Specific actions were not identified, and no discussion of any analysis of those human actions is provided.
I II.4 VulnerabHities, Insights and Enhancements II.4.1 Vulnerabilities The submittal does not provide a precise definition of a severe accident vulnerability.
However, it does present a concise listing of criteria for reporting sequences to the NRC as part of the IPE submittal. These remrting criteria were that the sequences which meet the foGowing criteria, not to exceed t. ' sp 100 sequences meeting one or more criteria, wondd be reported:
1)
Any sequence that contributes IE-07 or more per reactor year to core damage.
2)
All sequences within the upper 95 percent of the total core damage frequency.
3)
All sequences within the upper 95 percent of the total containment failure probability.
4)
Sequences tan contribute to a containment bypass frequency in excess of IE-08 per reactor year.
5)
Any sequence that CECO determines from previous applicable PRAs or by engineeringjudgment to be of interest irrespective of core damage frequency or estimated containment performance.
6)
Any sequence that dropped below the core damage frequency criteria because the frequency was reduced by more than an order of magnitude by credit taken for human recovery actions not in the Dresden emergency procedures.
Tirse criteria appear to be consistent with guidance in NUREG-1335, with the exception' of criterion 6. In our view, this request in NUREG-1335 includes proceduralized actions.
However, we recognize that there were different interpretations of the requested i
information, and of the dermition of recovery actions. The licensee's interpretation of 14
--r
this reporting guidance is consistent with the licensee's definition of recovery actions.
The licensee's sensitivity studies on the most important actions address to some degree the underlying issue.
The submittal also summarizes an evaluation of the Dresden IPE results against the NUMARC Severe Accident Closure Guidelines. Accident sequences were grouped into eight groups and compared to NUMARC guidelines for specific levels of closure action.
All sequences groups fell below the NUMARC frequency cutoffs, and therefore no actions are required. The IPE submittal concludes that there were no vulnerabilities identified for Dresden.
11.4.2 Indehts R*1stad to Human Performance The submittal distinguishes between "IPE insights" and " Accident Management insights".
The IPE insights, discussed in IPE Section 4.7.1, are those that address the capability of the existing plant to respond to an initiating event. Accident Management (AM) insights, discussed in Section 5 of the submittal, deal with enhancements to the capability of the plant emergency response organization to respond to an accident situation, given that it i
has occurred. The submittal provides a high-level summary of the structured processes -
for identifying IPE insights and AM insights during the course of and provides some general statistics on the nature of those insights, i.e., the percent of the 130 findings in each of six broad categories as follows:
(1) Generic Procedure Enhancements (11%)
(2) Plant Specific Procedure Enhancements (42%)
(2) Hardware Enhancements (27%)
(3) Training (6%)
(4) Information (11%)
l (5) Test & Maintenance (3%).
In response to an NRC request for additional information, the licensee provided information on examples of IPE insights. The process appears to have been effectively l
implemented.
The CECO process for identification of AM insights as an integral part of the IPE is an advancement beyond the general guidance for IPE submittals. It has been used and reported in previous CECO IPEs. The process appears to provide systematic and effective guidance to individuals performing and reviewing the IPE to identify AM insights in five broad areas:
(I) Organization and Decision Making
.(2) Accident Management Guidance (Strategies) i (3) Calculational Tools (4) Training (5) Plant Status Information l
15 l
.. _ - _ _. _ _ _. _.. _... ~. _ _ _ _ _ _.. _ _ ~. _ _ _ _ _ _ _ _. _ _.. - _ _ _ _ _ _.
i 11.4.2.1 impact ofHuman Performance on Sewre Accident Behavior - Importance.
calculations were performed, but only selected references to results are provided in
[
the submittal. Operator actions are top-level elements in the PRTs for most sequences of importance; and appear in virtually all of the top 23 dominant accident l
sequences.
t Sensitivity studies were performed on three of the most significant operator actions:
i (1) OMUP Operator action to supply makeup to shell side of the IC i
(2) OSPC '
Operator action to establish suppression pool cooling (3) OAD Operator action to depressurize the reactor vessel.
All three of these actions appear in multiple sequences, and because of sequence i
dependencies have multiple values for HEPs. Increasing the values of the HEPs for j
these three operator actions (individually) had a significant but not dramatic impact on CDF as shown in Table II.4-1 below. The table shows the estimated total CDF when all instances of the operator action were quantified at the nominal HEP compared to the total CDF when all instances of the operator action had the HEP
{
increased or decreased by a factor of 10. Decreasing the HEPs by an order of magnitude had a relatively small effect on the estimated CDF.
i
}
An additional sensitivity study was performed on recovery of offsite power. In the j
IPE model, no credit was taken for recovery of offsite power given that AC power was available. Taking credit for offsite power recovery decreased the CDF only slightly, from 1.90E-05 to 1.60E-05. The licensee concludes on the basis of this i
sensitivity study that, given that no other improvements are considered, improvements in procedures and training associated with recovery of offsite power i
for non-station blackout sequences would not result in significant risk benefit.
Table II.4-1 Results of Sensitivity Study on Three Important Operator Actions ACTION NOMINAL CDF INCREASED HEP DECREASED HEP OMUP 1.90E-05/yr 3.90E-05/yr 1.70E-05/yr OSPC 1.90E-05/yr 4.30E-05/yr 1.60E-05/yr OAD 1.90E-05/yr 3.10E-05/yr 1.70E-06/yr 11.4.2.2 Sequences Screened Out By I.aw HEPs - The licensee states in IPE Section 4.6.2, "there were no accident sequences that dropped below the core damage frequency criteria because the frequency had been reduced by more than an 16
order of magnitude by credit taken for human recovery actions not defined in the Dresden EOPs." Given that HEP analysis is only performed on those operator actions which are covered by DEOPs, the licensee has eliminated from consideration an important group of sequences. Guideline 2.1.6.6 of NUREG-1335, specifies a listing and a discussion of any sequences that drop below the applicable core damage screening criteria because the frequency has been reduced by more than an order of magnitude by credit taken for human recovery actions. The elimination of sequences with procedurally directed operator actions is likely to deprived the licensee of valuable information on human actions deserving of additional consideration.
II.4.3 Human Performance Related Enhancements The Dresden IPE process, specifically CECO's Tiger Team evaluation of the risk significance of different insights, did result in recommendation for two procedural enhancements. The two procedure enhancements identified are related to suppression pool cooling failures which ultimately lead to the inability to supply coolant to the vessel and the continued operation of ths dation condenser under extended station blackout conditions. In the " Conclusions" section of the IPE Executive Summary, the licensee states that a reduction in core damage frequency from 1.85E-05 to 3.8E-06 could be realized from the implementation of the enhancements. The licensee acknowledges the significant reduction in CDF that was realized as a result of procedure changes.
However, this marked improvement is not considered to reflect a previous vulnerability with the proceoures, merely an expanded use of available support systems to reduce risk.
The first procedure enhancement relates to alignment of LPCI or Core Spray pump suction to the condensate storage tank when suppression pool cooling cannot be established. This enhancement allows injection to the reactor vessel to be maintained when it would otherwise be lost due to insufficient net positive suction head for the low pressure ECCS pumps as the suppression pool water is heated.
The second deals with sequences associated with station blackout (SBO) conditions.
Although SBO sequences fell just below the cutoff fo the NUMARC Closure Guidelines for requiring enhancements, CECO elected to modify plant procedures for loss of all AC power to instruct the plant operators to manually open the circuit breakers to the isolation condenser's motor-operated valves prior to depletion of the 125VDC batteries to allow continued operation of the ICs, even under extended SBO conditions.
III. CONTRACTOR OBSERVATIONS AND CONCLUSIONS The intent of our document-only review of the licensee's HRA process is to determine whether the process supports the licensee's meeting specific objectives of GL 88-20 as they relate to human performance issues. That is, whether the HRA process permits the' licensee to:
17,
(1) Develop an overall appreciation of human performance in severe accidents; how human actions can impact positively or negatively the course of severe accidents, and what factors influence human performance.
(2) Identify and understand the operator actions iiiipori rit to the most likely accident sequeces and the impact of operator action in those sequences; understand how human actions affect or help determine which sequences are important.
I (3) Gain a more quantitative understanding of the quantitative impact of human performance on the overall probability of core damage and radioactive material release.
(4) Identify potential vulnerabilities and enhancements, and if necessary/ appropriate, implement reasonable human performance related enhancements.
It is our general conclusion from the review of the submittal and the additional material provided by the licensee in response to NRC requests for additional information that the licensee's HRA process provided the licensee with the ability to meet the objectives of GL 88-20 summarized above, with three notable limitations not withstanding:
1)
It appears that the Dresden IPE for the most part used a reasonable approach that is consistent with the guidance provided in NUREG-1335 and with practices found in other PRAs. The submittal is essentially complete with respect to the type of information and the level of detail requested in NUREG-1335. There is one exception. The limnsee states that no accident sequences were identified that were screened out because of low human error. The licensee's interpretation of NUREG-1335 led to their consideration of only non-procedural actions under this criteria, thereby discriminating from further consideration all of the actions quantified that wue reduced below the cutoff value by low human error, nammely proceduraBy aErected response and recovery actions. As a result, the licensee may have missed the opportunity to gain added insight on other important bumma actions which were screened out.
2)
Pre-initiator human actions were considered in the analysis. Based on the submittal and additional infoonesian provided we conclude that the licensee's quantification of pre-initiator actions selected for inclusion in the fault trees was reasonable.
However, their appmach for identification of pre-initiators was limited in that human error associated with the actual calibration of instruments was not considered. The licensee states that the process for identification and selection of pre-initiator human events involved the detailed review of applicable plant procedures and discussion with the appropriale plant personnel. However, we believe that by electing not to.
consider human aror associated with the performance of calibration, the licensee may have missed the opportunity to identify enhancements in human perforinance.
18,
i l
J d
l
.e i
3)
'Ihe treatment of post-initiator human actions was for the most part reasonably complete and thorough. Both response and recovery (proceduralized recovery actions) actions were considered. The piewss for identification and selection of J
post-initiator errors inr*M the review of appropriate procedures and discussions with the appropriate plant dsp.iLT, cats, i.e., operations, training, etc. The
{
quantification process appears to be complete and thorough to the licensee's l
guidelines, although several areas depart from the THERP guidelines upon which the i
licensee's methodology is based. We believe the licensee's treatment of
" diagnosis" in the aanlysis to be weak, and could possibly contribute to overly -
i optimistle probabilities and implicit assumptions about human behavior in the l
post-accident phase which appose traditionally accepted views.
1 8
De review of Dresden's HRA included examination areas where specific limitations were found in previous HRA performed by Commonwealth Edison Company (CECO), namely l
Zion The IPE reports that CECO's handling of the Dresden HRA included the services i
c(an wapa@ HRA Wist. In general, the content and detail of the HRA portion l
of the IPE reflects a tangible benefit derived by Dresden from this input. A number of j
concerns identified in the Zion review were absent from the Dresden analysis. Most j
notable improvements include,1) Dresden used a more conservative treatment of unproceduralized recovery in the quantification of post-initiator human errors, 2) l Wy between multiple human actions in a sequence were considered in the Dresden eas.:,ds, whereas Zion assumed each action to be independent, and 3) more plant-specific l
treatment of human actions in analysis, i.e., less mechanistic than the Zion approach.
i l
Other general observations include the following:
i l
1)
Based on the submittal and licensee's responses to NRC's request for additional information, we conclude that overall the licensee's IPE process included the l
necessary steps to provide reasonable assurance that the IPE model represents the as-i built, asperated plant.
i
{
2)
De licensee appears to have performed an appropriate internal review of the HRA.
i l
3)
De licensee's process for systematic search and collection of "IPE insights" and
- Accident Management insights" throughout the process is particularly good and j
appears effective.
1 4)
Because of potential lisaitations in the licensee's methodology, we placed particular emphasis on review of the quantitative results with those of other similar IPEs.
l Dresden's results appear generally consistent with the other studics reviewed,.
i j
5)
Through the HRA process the licensee identified two procedural enhancements, both j
associated with decay heat removal (DHR) sequences, which significantly j
contributed to a reduction in CDF. The reduction in CDF as a result of the j
procedure changes is not viewed, by the licensee, as a resulting from the elimination i
1 19
I 4
4 a vulnerability, but better utilization of available systems and plant features.
Overall, the insights gain from the IPE appear consistent with the intent of the guidance letter.
4 1
l 1
i i
20
J
~
REFERENCES l
1.
Swain, A.D. and H.E. Guttmann, " Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plants," Final Report, NUREG/CR-1278F, August,1983.
2.
G.W. Parry, et al., "An Approach to the Analysis of Operator Actions in Probabilistic Risk Assessment," EPRI TR-100259, June,1992.
3.
NUREG/CR-2300, "PRA Procedures Guide," Office of Nuclear Regulatory Research, USNRC, January,1983.
j 21